Jump to content
Atmo

Detections - view username

Recommended Posts

Hello,

Is it possible to view the username, in the "detections" list ?

As it shows Endpoint name and process name, it show be possible to also get username, and would be great to have.

Thanks,

Share this post


Link to post
Share on other sites

Greetings,

I don't believe individual protection logs from the client do show the user in relation to the context of the detected process, however that doesn't necessarily mean that you'll be able to determine which actual user the detection was made under as it is possible for it to show SYSTEM as the user as it's more related to the user context for the specific process, not necessarily which user is currently logged in as the primary user for the device if that makes sense.  That said, if you have either of the business products that include the Timeliner application (included with Malwarebytes Incident Response as well as Malwarebytes Endpoint Protection & Response) then this information should be included I believe, or at least it should provide sufficient information to make that determination.

If what you're looking for specifically is to know which user was logged into the machine interactively at the time of a detection, for example to determine which user may have opened an infected email, visited a blocked website or executed a malicious file, particularly in an environment where multiple users may be logged into the same device at the same time, then I'm not certain that this could easily be determined as most of the protection components operate under the system level above user mode meaning most of the detection activities don't or aren't able to determine which user may have set off a particular detection event, at least as I understand it (things can get pretty tricky dealing with user tokens and process states).

I'm not one of Malwarebytes Developers though, so what you are requesting may be possible as I may be overthinking it; I'm just speaking from my own limited knowledge of how processes work within Windows.  I will still put in a request for this feature and if it is possible, hopefully we will see it in a future release.

Thank you for the request, and if you have any further ideas, suggestions or feedback please let us know.

Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.